A fascinating legal theory is beginning to come out of the oven that may change how we think of digital information as property. What do you think?
An unauthorized computer access event occurs. System logs and other operating data provides evidence that personal information records were accessed. The logs indicate that the information records were copied and exported; however, there is no further evidence, including from named individuals, that the personal records have been improperly used, such as for identity theft.
A second variation involves the physical theft of a laptop or other computer equipment on which personal information was stored, perhaps even in unencrypted formats that would allow fairly easy access and use of the information. Again, there is no further evidence the personal information has, in fact, been improperly used. That exact fact pattern was the basis of a recent Illinois court decision, Maglio v. Advocate Health and Hospitals Corporation.
In each variation, the individuals to whom the information relates file lawsuits, claiming negligence by the custodian, for which they are entitled to compensation. However, none of them could actually prove they had experienced any direct injuries, such as the unauthorized use of credit cards, false mortgage loan applications, etc.
It is easy to imagine a more corporate scenario. A cloud service provider is storing sensitive business data of a corporate client. The service provider’s systems are compromised but, again, there is no evidence that proves any harm to the client, other than the loss of confidentiality. Indeed, in the Canadian case involving Boeing discussed in an earlier post here, involved those facts. Based on the public record to date, there is no evidence the alleged thief actually harmed Boeing by delivering the copied files to a competitor. The data was still on Boeing’s systems; there was no actual loss, such as the theft of a lawnmower out of your garage.
So the new legal theory is that, unless the owners or data subjects can prove economic harm or other injuries, the mere unauthorized access does not give them the basis to pursue any legal remedy against the data custodian. Indeed, that was the exact holding of the Illinois court in rejecting a case filed by the affected individuals.
Clearly, in any of these scenarios, there is a sense of loss, a sense of invasion, a sense that trust in the custodian has truly been compromised. But will the law provide the affected subject a right of recourse where there is no economically measurable injury? Will courts of other nations recognize rulings in another country seeking the recovery of damages when, in fact, there is no measurable injury?
What is the right outcome here? Can we put a price tag on the loss of digital trust?
To be honest, I am still trying to form my own opinion. I would welcome hearing yours.